Abstract:
"Domain fronting" is a versatile and practical censorship circumvention technique based on HTTPS. It uses different names at different network layers to fool a censor as to the true destination of a message. Fronting addresses one of the trickiest aspects of circumvention--that proxies are typically trivial to block once found--by colocating proxies with important web services that cannot be blocked without causing great disruption. Among such fronting-capable services are Google and most large CDNs.

I'll describe the basic idea behind domain fronting (it's very easy) and the outcome of six months and counting of deployment. Fronting powers one of Tor's most-used "pluggable transports," which now serves over a thousand users at any time, and grants access even to users in highly censored places like China. Other circumvention systems have even larger deployments. For many colorful details, see the summary page

April 08, 2015Privacy-Preserving Shortest Path Computation

Speaker:
David Wu

Abstract:
Navigation is one of the most popular location-based services today. But in virtually all cloud-based navigation systems, the client must reveal her location or intended destination to the cloud in order to learn the fastest route. In this talk, I will describe a new protocol for computing shortest paths in road networks that provides privacy for both the client’s query and for the map provider’s routing data. First, I will describe an efficient method for compressing the next-hop routing matrices for road networks. Applying this method to the map of Los Angeles, I show that we can achieve over tenfold reduction in the representation size. Moreover, the structure of our compressed representation enables an efficient cryptographic protocol suitable for real-time navigation in cities. To conclude the talk, I will describe our implementation of our private routing protocol and discuss some of the benchmarks we performed on real road networks for major cities such as Washington D.C. and Los Angeles.

Joint work with:
Joe Zimmerman, Jeremy Planul, and John Mitchell

April 15, 2015Storing 56-bit Keys in Human Memory

Speaker:
Joe Bonneau

Abstract:
The talk will challenge conventional wisdom that users cannot remember cryptographically-strong secrets. We tested the hypothesis that users can learn randomly-assigned 56-bit codes (encoded as either 6 words or 12 characters) through spaced repetition. We asked remote research participants to perform a distractor task that required logging into a website 90 times over up to two weeks with a password of their choosing. After they entered their password correctly we displayed a short code (4 letters or 2 words, 18.8 bits) that we required them to type. For subsequent logins we added an increasing delay prior to displaying the code, which they could avoid by typing the code from memory. As participants learned, we added two more codes to comprise a 56.4-bit secret. Overall, 94% of participants eventually typed their entire secret from memory, learning it after a median of 36 logins. The learning component of our system added a median delay of just 6.9 s per login and a total of less than 12 minutes over an average of ten days. 87% were able to recall their codes exactly when asked at least three days later, with only 21% reporting having written their secret down. As one participant wrote with surprise, "the words are branded into my brain." This talk will overview the potential of training users to memorize strong random passwords for high-security applications.

Work appeared at:
USENIX Security 2014

April 22, 2015Robust and Efficient Elimination of Cache and Timing Side-Channels

Speaker:
Benjamin Braun

Abstract:
Timing side-channels allow attacks against many cryptographic implementations and privacy-preserving applications. A popular strategy for defending against these attacks is replacing each code sequence that works with secrets with a sequence of hardware instructions whose timing and memory access patterns are independent of the secrets. This solution is brittle and often difficult to get right. In this talk, we present a robust technique that combines worst-case-runtime padding with CPU socket isolation to yield a general-purpose defense against both end-to-end timing attacks and cache snooping attacks. We employ our solution to protect code written in multiple languages, including C and Java. We show that the timing side-channel leaks no information when our approach is used, and that our approach defeats known timing and cache-based attacks. Finally, we show that our approach has low performance overheads in many cases on private servers and in the cloud.

April 29, 2015The Most Dangerous Code in the Browser

Speaker:
Stefan Heule

Abstract:
Browser extensions are ubiquitous. Yet, in today's browsers, extensions are the most dangerous code to user privacy. Extensions are third-party code, like web applications, but run with elevated privileges. Even worse, existing browser extension systems give users a false sense of security by considering extensions to be more trustworthy than web applications. This is because the user typically has to explicitly grant the extension a series of permissions it requests, e.g., to access the current tab or a particular website. Unfortunately, extensions developers do not request minimum privileges and users have become desensitized to install-time warnings. Furthermore, permissions offered by popular browsers are very broad and vague. For example, over 67% of the top-500 Chrome extensions can trivially leak the user's data from any site. In this paper, we argue for a new extension system design that protects the user's privacy from malicious extensions. A system employing this design can enable a range of common extensions to be considered safe. Specifically, extensions do not require user permissions and can be ensured to not leak information, while allowing the user to explicitly share information when desired. This makes permission requests a rarity and thus meaningful.

May 06, 2015Cyber Safety for Sharks

Speaker:
Per Enge, Dept. of Aeronautics and Astronautics

Abstract:
Overfishing is a critical problem across many of the world’s fisheries, and depletion of apex predators such as tunas, billfishes, and sharks is becoming particularly acute. Forward-thinking organizations are working to protect these fish populations by establishing marine sanctuaries where no-take zones should allow depleted species to recover. Today, poachers routinely violate these no-take zones and authorities are unable to monitor the large areas under protection. Hence, Stanford University is now building a FishChip that will be affixed to the fish and immediately send the GPS location to authorities via Iridium satellites when the animal is caught. A saline sensor detects that the shark has been caught and is being lifted onto the poacher’s boat. This event triggers the device to quickly send the GPS signals back to the authorities via the Iridium satellite communication system. The GPS data will be sent within seconds before the poachers are able to destroy the tag.

Even so, this first generation FishChip is not secure. The poachers will eventually deny the GPS service by broadcasting a powerful jamming signal from deckside. Alternatively, they can send a counterfeit GPS signal from their deck to spoof the GPS signals that are transmitted back to the authorities. We have now embarked on the design of a second generation FishChip that will be hardened against these jammers and spoofers. It will no longer use GPS; the GPS satellites are in Medium Earth Orbit some 20,000 km from Earth, and so the GPS signals are very easy to deny with deckside jammers. Instead, we will use Doppler signatures from the Iridium satellites. These signals are 30 dB stronger than GPS, and so the needed deckside jammer would be more conspicuous and detectable at much longer ranges. Moreover, we will send digital signatures over Iridium that are nearly impossible to predict, and so spoofed signals would be detected at the authority’s server that would have knowledge of the signatures in real time.

May 13, 2015Recommendations for Randomness in the Operating System

Speaker:
Henry Corrigan-Gibbs

Abstract:
Common misconceptions about randomness underlie the design and implementation of randomness sources in popular operating systems. In this talk, I will debunk these fallacies with a survey of the "realities of randomness" and will describe a number of new architectural principles for OS randomness subsystems.

Joint work with:
Suman Jana

May 20, 2015No Lunch -- IEEE S&P and Simons Workshop

May 27, 2015Rust, Unsafe, and the Nature of TCB in Programming Languages

Speaker:
Edward Z. Yang

Abstract:
Rust is a new systems programming language, whose goal is to support low-level systems programming with more safety than C/C++. Its success is, in large part, due to its willingness to compromise on types: many core libraries are implemented by using "unsafe blocks", which sidestep Rust's (necessarily) conservative type system.

Like Rust's type checker and compiler, unsafe code is part of the trusted computing base of the language; incorrectly written unsafe code can result in security vulnerabilities. However, unlike a type system, the invariants for unsafe code are not obviously well-defined. Does this mean we should just give up? No! In this talk, I want to give a tutorial introduction to the dominant technique in the PL world for tackling this problem (logical relations) and explain why you should care about it.

Much credit must go to Derek Dreyer, Ralf Jung and Aaron Turon, who have been working on this problem a lot longer than I have, and Sergio Benitez, who asked me the right question.

June 03, 2015Summing up a Haystack: Privacy Preserving Reports for Rare Occurrences

Speaker:
Valeria Nikolaenko

Abstract:
There are many scenarios where a central party wants to collect reports from endpoints, and is interested in an aggregate result, such as a total sum or an average, rather than individual reported values. We present a protocol for delivering reports from endpoints to a central authority in a privacy preserving manner. Unlike methods based on randomized reports or differential privacy, the protocol we propose is suitable for collecting reports about rare occurrences, finding needles in a haystack, that would otherwise be masked by the added noise. This paper, discusses several possible approaches to the task, points out their advantages and limitations, presents our protocol for the case of computing an average over billions of reported values, and describes its security properties in light of the threat model.

Joint work with:
Yan Michalevsky and Dan Boneh

June 10, 2015Oblivious Storage and File Systems

Speaker:
Ali Mashtizadeh

Abstract:
Hosted storage solutions in the cloud are becoming common for both enterprise storage and personal storage. Even when data is encrypted, the I/O behavior leaks a lot of information about what applications are running and we can infer a lot about user behavior. Previous systems have had too much overhead to be practical. These existing techniques usually generate a constant load irregardless of the user’s workload costing users money in terms of bandwidth fees. We explore the benefits of solving oblivious storage in the file system layer, and how we can use the additional bandwidth for file system optimization. Secondly, we will consider a different security model that removes the constant load requirement.